🚨IDEsaster: AI IDE Vulnerabilities Turn Developer Tools into an Enterprise Attack Surface

This week covers a new class of AI supply chain attacks targeting developer workflows. Security researchers disclosed 24 CVE-assigned vulnerabilities across popular AI-enhanced IDEs, where prompt injection enables remote code execution, data exfiltration, and credential theft directly from developer machines.We also unpack ServiceNow’s reported $7B Armis acquisition as a signal of asset visibility convergence and why Rubrik’s Matt Castriotta argues identity backup is now non-negotiable for real cyber resilience.

Author

Ashish Rajan
December 17, 2025

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter topic: Your Backup Strategy Is Incomplete Without Identity Recovery (continue reading) 

This image was generated by AI. It's still experimental, so it might not be a perfect match!

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week’s Cloud Security Newsletter

This week brings sobering reminders that cyber resilience isn't just about having backups it's about having the ability to recover when everything you trust becomes compromised. From a CVSS 10.0 React vulnerability under active nation-state exploitation to AI coding assistants becoming supply chain attack vectors, the attack surface continues expanding in ways traditional disaster recovery plans never anticipated.

In this edition, we explore why identity systems have become "ground zero" for cyber resilience with Matt Castriotta, Field CTO for Cloud at Rubrik. Matt brings seven years of shepherding cloud security at Rubrik and over two decades in data management, offering hard-won insights on why having backups doesn't mean you can recover, and why your Active Directory might be your most critical unprotected asset. [Listen to the episode]

📰 TL;DR for Busy Readers

  • 💻 IDEsaster: 24 CVEs across Cursor, Windsurf, GitHub Copilot, Zed, Roo Code, and Junie - 100% of tested AI IDEs vulnerable to prompt injection, enabling RCE and data exfiltration from developer machines

  • 🔐 Identity is ground zero: Forest-level Active Directory recovery must be part of every cyber resilience plan

  • 🤖 AI supply chain attacks: PromptPwnd + IDEsaster show AI coding assistants acting as high-privilege non-human identities

  • 💰 ServiceNow-Armis ($7B): Consolidation signals asset visibility and CMDB accuracy are now resilience prerequisites.

📰 THIS WEEK'S TOP 3 SECURITY HEADLINES

1. IDEsaster: 30+ Vulnerabilities in AI IDEs

A comprehensive security analysis has uncovered 24 CVE-assigned vulnerabilities across popular AI-enhanced IDEs including Cursor, Windsurf, GitHub Copilot, Zed, Roo Code, and Junie. The research found that 100% of tested AI IDEs are vulnerable to prompt injection attacks that, when combined with legacy IDE features, enable remote code execution and data exfiltration. The vulnerabilities affect developer workstations directly, potentially compromising source code and credentials stored in local development environments.

Why This Matters: Developer workstations have become high-value targets, and AI IDE vulnerabilities provide attackers with direct access to intellectual property and credentials. This complements the PromptPwnd findings and underscores a broader theme: AI integration is outpacing security controls. For security leaders, this means extending zero-trust principles to developer tools and ensuring that credential management doesn't rely on the security of local development environments. Recovery plans must account for scenarios where developer machines and associated credentials are compromised.

2. ServiceNow in Talks to Acquire Armis for $7 Billion

ServiceNow is negotiating to acquire cyber asset management platform Armis for approximately $7 billion, marking what would be the company's largest M&A deal to date. Armis specializes in providing visibility into operational technology (OT), Internet of Things (IoT), and unmanaged assets critical blind spots for enterprise security teams.

Why This Matters: This acquisition signals major consolidation in the enterprise asset management space and highlights the convergence of CMDB (Configuration Management Database) capabilities with cybersecurity. For cloud security leaders, this underscores the growing importance of comprehensive asset inventory something Matt Castriotta emphasizes as foundational to cyber resilience: "You'd be amazed at how many customers I talk to that don't have a CMDB and are not inventorying exactly what they have. Shadow IT is still a thing." The deal also reflects increasing focus on critical infrastructure protection, particularly OT/IoT environments that traditional security tools struggle to cover.

3. PromptPwnd: AI Coding Assistant Supply Chain Attacks

Security researchers have disclosed a new vulnerability class affecting AI coding assistants in CI/CD pipelines, dubbed "PromptPwnd." The attack vector uses prompt injection in GitHub Actions and GitLab CI/CD workflows to exploit AI agents like Gemini CLI, Claude Code, and OpenAI Codex. Successful exploitation enables secret exfiltration, remote code execution, and GitHub token theft. At least five Fortune 500 companies have been confirmed as impacted. Google patched Gemini CLI within four days of disclosure.

Why This Matters: This represents an entirely new attack surface that traditional security controls weren't designed to address. As organizations rush to adopt AI coding assistants for productivity gains, they're introducing non-human identities with broad access to code repositories and secrets. Castriotta's warning about AI agents resonates here: "If we're gonna use AI to increase productivity, we're gonna need to remove the human in the loop... You need the ability to understand what that agent did, and if that agent did something erroneous, you need the ability to be able to rewind that back." Organizations need visibility into AI agent activity and the capability to recover from erroneous or malicious actions.

🎯 Cloud Security Topic of the Week:

Identity as Ground Zero: Why Your Backup Strategy is Incomplete Without Identity Recovery

The conversation around cyber resilience has evolved beyond "do you have backups?" to a more critical question: Can you actually recover when your identity systems are compromised? Most organizations treat identity as a security control to protect, but few treat it as a data source that requires the same backup and recovery rigor as their databases and applications.

This oversight creates a dangerous gap. As Matt Castriotta explains: "If identity's down, everything's down. You have no ability to access anything. Your identity system is ground zero. It's the perimeter".

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

  • Cyber Resilience vs. Disaster Recovery: Cyber resilience is the ability to recover when data and identity systems are inherently mistrusted due to attacker compromise. Disaster recovery assumes data and identity remain in a "trusted zone" and focuses on business continuity during outages.

  • Operational Recovery: Restoration from accidental changes or errors where systems remain in a trusted state requires rewinding to a known good point in time.

  • Forest-Level Recovery: In Active Directory environments, the process of recovering an entire domain forest structure, typically required when attackers have compromised the root domain or made extensive changes to the directory structure.

  • Minimum Viable Company (MVC): The critical subset of systems and data required to maintain essential business operations during a major cyber incident the foundation of effective cyber recovery planning.

  • Survivable Backups: Backup copies that are immutable, air-gapped, or otherwise protected from tampering by attackers who have gained privileged access to production environments.

This week's issue is sponsored by AI Security Podcast 

In-depth practitioner discussions on Enterprise AI risk, governance, and security with guests including AI Bug Bounty Hunters, CISOs from Foundational Models & more.

💡Our Insights from this Practitioner 🔍

Why Backups Aren't Enough & Identity Recovery is Key against Ransomware (Full Episode here)

The Fatal Flaw in Modern Backup Strategies

When organizations say "we have backups", they're often conflating business continuity with cyber resilience. This distinction matters enormously when an attacker is inside your environment.

Matt Castriotta draws a stark line: "Having backup doesn't mean anything. Do you have the ability to recover? That's the key. You always have to think about it as: I don't have a backup, I have an insurance policy. I have a recovery plan. I have the ability to get my business back".

The challenge with traditional disaster recovery is that it assumes your data and identity remain trusted. But modern attackers operate as authenticated users within your environment. Once they're in, everything becomes suspect. Castriotta explains: "Once the cyber attacker gets into the environment, most likely by acting as an authorized and authenticated user on your network, at that point your data and your identity are inherently mistrusted. Now I have to figure out what did they impact and how do I get back to a good clean point".

This is why cloud-native continuity features like S3 versioning and cross-region replication create false confidence. Castriotta cautions: "Just because you replicate your data, if your data's impacted in your primary region, the replication is replicating that impact to the secondary region. Your secondary regions are now impacted too".

Practical Application: Audit your current backup strategy by asking three questions:

  1. Can you identify which backup copy is "clean" if your production systems are compromised?

  2. Do your backups exist outside the administrative domain of your production environment?

  3. Have you tested recovery scenarios where both production data AND identity systems are assumed compromised?

If you answered "no" to any of these, you have continuity but not resilience.

Identity: The New Perimeter That No One Is Backing Up

The most striking insight from Castriotta's experience is how few organizations treat identity as a recoverable data source. "A lot of times conversations around cybersecurity resilience are framed around backup recovery, but not really around identity", he notes.

This oversight is particularly dangerous because identity systems enable everything else. As Castriotta puts it: "Identity is the new perimeter. If identity's down, everything's down. You have no ability to access anything. Your identity system is ground zero".

Attackers understand this better than defenders. They infiltrate environments through compromised identities, escalate privileges through misconfigured IAM roles, and move laterally across accounts and regions. The identity layer is both their entry point and their highway through your environment.

Yet when organizations plan cyber recovery, identity is often an afterthought. Castriotta observes: "There are businesses that were built solely on just protecting identity systems Active Directory backup solutions. So yes, absolutely, your identity system needs protection not only from an operational error... but also from the fact that an attacker could make many modifications to your identity system to facilitate their lateral movement".

Practical Application: Evaluate your identity recovery posture:

For On-Premises Environments:

  • Do you have the ability to perform forest-level Active Directory recovery?

  • Can you recover domain controllers to known-good states within your RTO?

  • Are your AD backups stored outside the domain they're backing up?

For Cloud Environments:

  • Are you backing up IAM policies, roles, and trust relationships?

  • Can you detect and revert unauthorized privilege escalations?

  • Do you have offline copies of service principal credentials?

For Hybrid Environments:

  • Can you recover Entra ID (Azure AD) configurations independently of on-premises AD?

  • Are conditional access policies backed up and version-controlled?

  • Can you rebuild federation trusts if both sides are compromised?

Castriotta emphasizes that identity recovery must come first: "Your identity system is ground zero. You need the ability to bring that back first before you bring back anything else".

The Assumed Breach Mindset: Gaming Out Total Compromise

Organizations that succeed in cyber resilience share a common trait: they've adopted an "assumed breach" mindset and actually practiced large-scale recovery.

Castriotta explains the difference: "The organizations that really succeed are the ones that have already gone beyond [perimeter security]. They've adopted this assumed breach mindset and they've gamed out the process of what a large-scale cyber recovery would look like".

This isn't a theoretical exercise. "When I say game it out, I mean they've done tabletop exercises with their security organization, with security teams that they partner with. IT and security are in lockstep with each other, and security has a vested interest in recovery—which security doesn't always have a vested interest in recovery in organizations".

The concept of "Minimum Viable Company" becomes critical here. Organizations need to identify: "What comprises my minimum viable company and what would it take for me to bring that back if assuming everything was impacted."

This requires brutal honesty about dependencies. Castriotta notes the first step: "The ability to know the assets that you have and the RTO expectations for each of the applications you're running in your environment. You'd be amazed at how many customers I talk to that don't have a CMDB and are not inventorying exactly what they have. Shadow IT is still a thing. Untracked buckets are still a thing".

Practical Application: Conduct a Minimum Viable Company exercise:

  1. Define Core Business Functions: What are the 3-5 capabilities required to keep your business operating at minimal viability? (For many organizations: customer-facing services, payment processing, internal communications, identity/access systems)

  2. Map Technical Dependencies: For each core function, document:

    • Primary applications and their data sources

    • Identity/authentication requirements

    • Network/connectivity dependencies

    • Third-party service dependencies

    • Regulatory/compliance considerations

Establish Recovery Priorities: Assign tiers to applications:

  1. Tier 0: Identity systems and core infrastructure

  2. Tier 1: Revenue-generating applications (bring back within hours)

  3. Tier 2: Business-critical applications (bring back within days)

  4. Tier 3-4: Important but non-critical applications

  1. Test the Recovery Runbook: Execute tabletop exercises where IT and security jointly practice recovery scenarios. Key question: "If we assume our production environment and identity systems are fully compromised, how do we rebuild from backups while ensuring we're not restoring malicious changes?"

  2. Organizations that skip this planning discover painful truths during actual incidents—when time pressure and stress make clear thinking nearly impossible. 

The AI Agent Challenge: Recovery in the Age of Autonomous Actions

The emergence of AI agents introduces a new dimension to cyber resilience that traditional backup strategies never contemplated. As Castriotta observes: "AI has really opened people's eyes to the fact that the data is the gold. That is your crown jewels. And then access to it and how you facilitate that access."

The challenge intensifies when AI agents act autonomously. "We're gonna need to remove the human in the loop. The human in the loop right now is what's getting in the way", Castriotta explains. "When that does decrease and there's less humans in the loop, you need the ability to understand what that agent did, and if that agent did something erroneous, you need the ability to be able to rewind that back".

This creates unprecedented visibility and recovery requirements. Unlike human operators whose actions can be logged and audited through established patterns, AI agents may make thousands of decisions per hour across multiple systems. The PromptPwnd and IDEsaster vulnerabilities this week demonstrate how AI agents can be manipulated to exfiltrate secrets and execute code essentially becoming insider threats that operate at machine speed.

Castriotta emphasizes that organizations are creating "overly permissive non-human identities... because AI needs access to all the data". These privileged service accounts become attractive targets and potential blast radius amplifiers.

Practical Application: Implement AI agent oversight and recovery capabilities:

Visibility and Auditability:

  • Deploy comprehensive logging for all AI agent actions, not just successful operations

  • Track which data sources agents access and what changes they make

  • Monitor for unusual patterns in agent behavior (e.g., accessing data outside normal scope)

  • Maintain chain-of-custody logs showing which prompts led to which actions

Access Controls:

  • Apply least-privilege principles to AI agent service accounts

  • Use time-limited credentials where possible (rotate frequently)

  • Implement approval workflows for high-risk agent operations

  • Segment agent access by function don't give one agent access to everything

Recovery Mechanisms:

  • Ensure you can identify "pre-agent" backup snapshots for critical systems

  • Test recovery scenarios where you need to revert agent-made changes

  • Document the process for disabling compromised agents and revoking their access

  • Maintain offline copies of configurations that agents might modify

Rubrik's upcoming Agent Cloud platform addresses this gap by providing visibility into agent operations and the ability to rewind changes recognizing that AI agents represent both productivity opportunities and new threat vectors that require specific resilience strategies.

Multi-Cloud Recovery: Beyond Checkbox Compliance

The DORA regulations in the European Union are forcing financial services organizations to confront multi-cloud recovery realities. But as Castriotta notes, many are approaching this as compliance theater rather than genuine resilience.

"Right now what I'm seeing is that a lot of folks are treating DORA as sort of a checkbox. I'm just gonna make sure that I copy my backups to Azure. I'm not gonna make sure they're in a format that Azure can even understand, nor am I even gonna ever test a recovery back into something in Azure".

This approach fails on multiple levels. First, egress costs make cross-cloud data movement expensive at scale. Second, and more critically, AWS and Azure are fundamentally different: "VMs that are spun up in AWS look nothing like VMs spun up in Azure. How do you do that conversion and do it on the fly in a way where I can build my application on the other side cleanly?"

The recent AWS outages underscore why this matters. When the East-1 region went down, it took Amazon an entire day to restore capacity. As Castriotta points out: "Even the hyperscalers struggle with the complexity of what they've built. If even the hyperscalers struggle with that, our customers are struggling with the complexity of what they've built too. They need a recovery plan that can get them back quickly."

Practical Application: Build genuine multi-cloud resilience:

Assessment Phase:

  1. Identify applications where multi-cloud recovery provides genuine value (typically: tier-0/tier-1 applications, regulatory requirements, geopolitical risk concerns)

  2. Calculate the total cost of true multi-cloud recovery (egress, storage, conversion tools, testing)

  3. Determine if the investment justifies the risk mitigation

Implementation Phase:

  1. Test recovery to alternate clouds quarterly, not just backing up to them

  2. Maintain runbooks for the conversion process (don't assume hyperscaler migration tools will work during an incident)

  3. Pre-position networking, identity, and security configurations in the alternate cloud

  4. Ensure your team has actual hands-on experience with both platforms

Reality Check: For most organizations, multi-cloud recovery for all workloads isn't economically viable. Focus on:

  • Critical applications that justify the investment

  • Data archives that can be stored cost-effectively across clouds

  • Disaster recovery scenarios where you accept longer RTOs for alternate-cloud recovery

The key insight: multi-cloud backup is easy; multi-cloud recovery is hard. Don't confuse the two.

Cyber Resilience and Identity Protection:

Incident Response and Recovery:

Cloud Security Podcast

Question for you? (Reply to this email)

 🤖 Should companies work on a AI Backup Plan?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

📬 Want weekly expert takes on AI & Cloud Security? [Subscribe here]”

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast